Phishing Attacks in the Government and Military Archives • InfoSec Resources

Introduction

For nearly a decade, spear phishing has been a cost effective and highly efficient approach to penetrate the computer networks of government and military institutions. Sophisticated phishing schemes against U.S. civil institutions have increasingly attracted media coverage. Contrary to the popular belief that these institutions have cutting edge information security technology to protect themselves, the reality tells a different story. Since the mid-2000s, high profile network intrusions against government and military institutions initiated by spear phishing have been intensifying in the U.S. Operations such as Titan Rain (2003-2005) and Shady Rat (2010) are not unfamiliar events to Americans that Chinese hackers were suspected to send well-crafted and customized spear phishing emails to the relevant institutions’ personnel so as to steal sensitive government and military data. Nonetheless, foreign governments are not the only attacker against U.S. civil institutions. Cyber-criminals running after financial gain and malevolent insiders who know their institutions inside out are equally good operators when it comes to launching spear phishing schemes targeting careless personnel without good security awareness in these institutions.

In recent years, the computer networks of various U.S. civil institutions such as the Department of Defense (DOD), the Department of Homeland Security, the Office of Personnel Management (OPM), Joint Chief of Staff, etc., have witnessed large-scale spear phishing attacks aiming at their personnel information and national defense facilities. In early 2015, the DOD claimed that six-sevenths of the incoming emails for the military are either spam, malware or spear phishing. This statistic revealed an irony about the security level of government and military institutions. Despite the extraordinary investment and budget assigned to cybersecurity, the number and scale of reported computer network breach and data thefts increase every day in a worrisome pattern. Government institutions are not invincible vis-à-vis malicious cyber operations, notably the most elementary, but highly effective spear phishing scheme.

Security Awareness

The malicious phishers targeting government and military institutions

As a matter of fact, government and military institutions have to face more challenges than commercial ones when it comes to phishing. Not only does the background of the operators and their motives are more diversified, but the phishing techniques and strategies are also more sophisticated. These two characteristics enhance the risk dimension for government and military institutions. For example, phishers aiming at U.S. civil institutions often pretend to be senior officials requesting co-workers or subordinates to provide or renew personal information. Cyber-criminals can use such spear phishing emails to lure victims at government and military institutions to visit malicious websites or download malware. Once the phishing bait catches a victim, the phisher is free to explore the treasure of certain civil institutions.

Apart from cyber-criminals, politically motivated individuals and organizations are also enthusiastic participants in implementing cyberattacks against government and military institutions. Sometimes, it can happen that a group of bored teenagers identify some security vulnerabilities randomly and exploit them to the fullest just for fun. A recent example can be the hacker group, Crackas With Attitude (CWA). One of the group’s hackers, Cracka, hacked into the personal email account of the Director of National Intelligence, James Clapper, simply in an attempt to show his discontent against the government as well as his strong hacking capabilities. It is suspected that this young hacker combined both social engineering and spear phishing techniques to achieve his objectives.

The silent gold mine hidden in government and military institutions

As the saying goes, the greater the effort, the sweeter the reward. Government and military institutions may have higher and better information security products and policies to defend their digital assets yet phishers with determination to succeed will not be discouraged easily by these security tools. They will interpret the highly invested security products differently—the digital assets well secured should be of high value. Indeed, civil institutions possess valuable information that can include weaponry designs, urban planning development strategies, electric grid and nuclear plant access maps, personal information of high level officials, etc. These information and data can be sold at exorbitant price in the black market or to the rival institutions. (The buyers can come from rival states, terrorist organizations or international corporations looking for advantage to access a foreign market.)

A suspected state funded cyber-espionage example is the U.S. military drone; it was reported in late 2015 that the Chinese army succeeded in gathering valuable information via cyber-espionage regarding the state-of-the-art U.S. military drone, the MQ-9 Reaper, to produce its own unmanned aerial vehicle, the Caihong-4. Alternatively, the attacker who succeeded in acquiring such information might take advantage of it to blackmail or embarrass the government institution for more financial gains or for a sense of individual achievement, as seen in the example of CWA. Therefore, individuals and organizations that do not aim for merely financial rewards pose an additional risk for government institutions. Simply exposing the security vulnerabilities for the public deals a fatal blow to the victim institution’s reputation and attracts more phishers to fish in troubled waters in return.

In what ways are government and military institutions targeted?

At first glance, in order to gain access to the targeted civil institution’s network, a high level of information technology knowledge is required to develop extraordinarily complex computer viruses and tools. This is certainly an effective approach, but also an over-simplified representation. Phishers understand that behind all monitors, there are people operating the computer systems. Therefore, both malicious and careless employees can pose a threat to the institution. Negligent coworkers with low cybersecurity awareness may be mistaken by skillfully planned spear phishing emails while those with nefarious intentions may take advantage of their insider knowledge to create accurate internal information-based phishing schemes. A good example involving an insider phishing threat would be the former employee of U.S. Department of Energy, Charles Harvey Ecclestonis. He attempted a spear phishing scheme against his former colleagues in order to sell the targeted information to foreign governments. He was sentenced to 18 months in prison for his plan in April 2016.

Moreover, targeting crucial government institutions provides a great opportunity for further exploit of the stolen information for multiple purposes. The year 2015 marked a series of high level network breaches caused by spear phishing. For example, in August 2015, the cybersecurity officials of the DOD revealed a suspected Russian originated spear phishing attack compromising the email accounts of approximately 4,000 military officers.

In mid-2015, the well-known cyberattack against OPM was discovered. This incident was considered as the ‘biggest government hack ever’ that gave the attackers access to millions of sensitive data about the employees and government contractors of the institution. An estimated four million records were stolen and a considerable number of field agents had to retreat from their mission. The phishers delivered powerful malware through spear phishing emails targeting OPM employees. When a careless employee was lured to a well-crafted phishing page and downloaded the malware, it started to install itself automatically on the computers and the network, eventually giving more opportunities for the phishers to explore further the sensitive information of the institution. The phishers were not satisfied by such a successful intrusion. They continued to launch malicious personalized phishing attempts based on the stolen OPM employee information.

Phishing continues to attract media attention in 2016. The recent 48-hour server shutdown of the DOD in March 2016 was caused by severe spear phishing emails penetrating the networks of DOD. The authorities were alerted to temporarily stop the private email access so as to investigate the incident. Government and military institutions often underestimate the effectiveness and impact of spear phishing. It is considered as a simple technique that well secured computer networks will unlikely fall prey to. Unfortunately, the reality reveals that a successful implementation of spear phishing can cause a great deal of loss to the targeted institution. Phishers can smell the vulnerabilities. All they need is a tiny security flaw or a careless employee to get into the institution’s network. Once they are inside, they are free to exploit the system vulnerabilities without limit and acquire the digital assets of the institution.

Prevention is the solution—SecurityIQ Phishsim solution

Once again, the human factor is decisive in protecting the civil institution’s digital assets. An institution can have the most advanced anti-phishing software that blocks almost all scams. Unfortunately, careless or malicious employees can serve as the key to open the safe for cyberattack operators. Since early 2014, the U.S. military has recognized the immediateness to raise their personnel’s awareness of spear phishing. Thrift Savings Plan was adopted by high level U.S. military officers to test the employees of the FBI, Customs and Border Protection, the Labor Department and other agencies. The DOD hack in August 2015 further promoted a wave of spear phishing awareness training for military officers and personnel. U.S. high level officials acknowledge the decisive human factor in dealing with spear phishing schemes. It is immediate and crucial to improve the cybersecurity awareness of the personnel of U.S. civil institutions.

InfoSec Institute is renowned for its leading cybersecurity training solutions. For over a decade, InfoSec has provided customized information security training and products to institutions ranging from governments and banks to corporations in various sectors. Numerous cybersecurity professionals have undergone high level training with InfoSec Institute. In the domain of phishing awareness training, InfoSec Institute appears to be the market leader. You are invited to explore the institute’s certification and security awareness programs here.

Moreover, following the increasing network intrusions against government and military institutions, InfoSec Institute has recently introduced a new program, SecurityIQ. It is an innovative customizable web-based training platform to improve the personnel’s information security awareness. This tool provides an overview of various phishing techniques and indicators of suspicious messages and online advertisements. To start using the product and phish your co-workers, please click here to set up your free account.

SecurityIQ helps cybersecurity professionals build phishing email templates effectively and add different users to the customized training program. The default settings of SecurityIQ provide a considerable number of high quality phishing email templates. Depending on the nature of the institution, the account administrator can create, modify and add elements relevant to their activities to enhance the credibility of the message. The following screenshot shows the user-friendly editing interface of Phishsim, one of the best features of SecurityIQ:

siq1

As an example, this article chose a government institution template and edited it to adapt to the training needs of the personnel. The aforementioned suspected leaked U.S. unmanned aerial vehicle to the Chinese army incident is employed to illustrate a possible spear phishing scenario.

siq2

A spyware or phishing site can be added to the word ‘footage’ so as to infect the targeted computer network. After creating this message, the cybersecurity officer might send it to colleagues to see their reactions. According to the personnel’s responses, whether they fall prey to the scam, ignore the message or report it to senior officers, the institution will then be able to establish relevant training for the personnel.

Given the rapidly developing malicious cyberspace activities against government and military institutions, empowering the personnel’s information security awareness is an immediate and urgent need. InfoSec Institute’s latest information security platform, SecurityIQ, can help protect civil institutions from multidimensional cyber threats, beginning with the simplest and most effective one: phishing.

Section Guide
Ryan
Fahey